4.2. Configuring Arp proxy

Overview

Function Introduction

Proxy ARP, the most common method for learning about other routes, enables an Ethernet host with no routing information to communicate with hosts on other networks or subnets. The host assumes that all hosts are on the same local Ethernet and that they can use ARP to determine their MAC addresses. If a switch receives an ARP request for a host that is not on the same network as the sender, the switch evaluates whether it has the best route to that host. If it does, it sends an ARP reply packet with its own Ethernet MAC address, and the host that sent the request sends the packet to the switch, which forwards it to the intended host. Proxy ARP treats all networks as if they are local and performs ARP requests for every IP address. Proxy ARP can be separated to 2 parts: Proxy ARP and local Proxy ARP. Local Proxy ARP is always used in the topology where the Device is enabled port isolate but still need to do communicating via routing. Internet Control Message Protocol (ICMP) redirects are disabled on interfaces where the local proxy ARP feature is enabled.

Principle Description

N/A

Configuration

Configuring ARP Proxy

image

Fig. 4.2 ARP Proxy

As seen in the above topology, PC1 is belonged to VLAN10 and PC2 is belonged to VLAN20. If ARP proxy feature is not enabled, then PC1 and PC2 can not communicate with each other. As following, these steps are shown to enable ARP proxy feature for both VLAN interface 10 and VLAN interface 20.

step 1 Enter the configure mode

Switch# configure terminal

step 2 Enter the vlan configure mode and create vlan

Switch(config)# vlan database
Switch(config-vlan)# vlan 10,20
Switch(config-vlan)# exit

step 3 Enter the interface configure mode, set the switch port mode and bind to the vlan

Switch(config)# interface eth-0-22
Switch(config-if)# switchport access vlan 10
Switch(config-if)# no shutdown
Switch(config-if)# exit
Switch(config)# interface eth-0-23
Switch(config-if)# switchport access vlan 20
Switch(config-if)# no shutdown
Switch(config-if)# exit

step 4 Create the vlan interface, configure the ip address, and enable arp proxy

Switch(config)# interface vlan 10
Switch(config-if)# ip address 192.168.10.1/24
Switch(config-if)# proxy-arp enable
Switch(config-if)# exit
Switch(config)# interface vlan 20
Switch(config-if)# ip address 192.168.20.1/24
Switch(config-if)# proxy-arp enable
Switch(config-if)# exit

step 5 Exit the configure mode

Switch(config)# end

step 6 Validation

Use the following command to display the information of the arp proxy configuration on the switch:

Switch# show ip interface vlan 10
Interface vlan10
Interface current state: UP
Internet address(es):
192.168.10.1/24 broadcast 192.168.10.255
Joined group address(es):
224.0.0.1
The maximum transmit unit is 1500 bytes
ICMP error messages limited to one every 1000 milliseconds
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are always sent
ARP timeout 01:00:00, ARP retry interval 1s
ARP Proxy is enabled, Local ARP Proxy is disabled
VRRP master of : VRRP is not configured on this interface
Switch# show ip interface vlan 20
Interface vlan20
Interface current state: UP
Internet address(es):
192.168.20.1/24 broadcast 192.168.20.255
Joined group address(es):
224.0.0.1
The maximum transmit unit is 1500 bytes
ICMP error messages limited to one every 1000 milliseconds
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are always sent
ARP timeout 01:00:00, ARP retry interval 1s
ARP Proxy is enabled, Local ARP Proxy is disabled
VRRP master of : VRRP is not configured on this interface

Use the following command to display the information of the arp entry on the switch:

Switch# show ip arp
Protocol Address Age (min) Hardware Addr Interface
Internet 192.168.10.1 - 7cc3.11f1.aa00 vlan10
Internet 192.168.10.111 5 0cf9.11b6.6e2e vlan10
Internet 192.168.20.1 - 7cc3.11f1.aa00 vlan20
Internet 192.168.20.222 6 5a94.031f.2357 vlan20

Use the following command to display the information on PC1:

[Host:~]$ ifconfig eth0
eth0 Link encap:Ethernet HWaddr 0C:F9:11:B6:6E:2E
inet addr:192.168.10.111 Bcast:192.168.255.255 Mask:255.255.0.0
UP BROADCAST RUNNING MULTICAST MTU:1600 Metric:1
RX packets:11 errors:0 dropped:0 overruns:0 frame:0
TX packets:10 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:588 (588.0 b) TX bytes:700 (700.0 b)
Interrupt:5

[Host:~]$ arp --a
 ? (192.168.20.222) at 7c:c3:11:f1:aa:00 \[ether\] on eth0
[Host: ~]$ route -v

Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.0.0 * 255.255.0.0 U 0 0 0 eth0

[Host:~]$ ping 192.168.20.222
PING 192.168.20.222 (192.168.20.222) 56(84) bytes of data.
64 bytes from 192.168.20.222: icmp_seq=0 ttl=63 time=189 ms
64 bytes from 192.168.20.222: icmp_seq=1 ttl=63 time=65.2 ms

--- 192.168.20.222 ping statistics ---

2 packets transmitted, 2 received, 0% packet loss, time 1000ms
rtt min/avg/max/mdev = 65.209/127.226/189.244/62.018 ms, pipe 2

Use the following command to display the information on PC2:

[Host:~]$ ifconfig eth0
eth0 Link encap:Ethernet HWaddr 5A:94:03:1F:23:57
inet addr:192.168.20.222 Bcast:192.168.255.255 Mask:255.255.0.0
UP BROADCAST RUNNING MULTICAST MTU:1600 Metric:1
RX packets:14 errors:0 dropped:0 overruns:0 frame:0
TX packets:17 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:784 (784.0 b) TX bytes:1174 (1.1 KiB)
Interrupt:5

[Host:~]$ arp -a
 ? (192.168.10.111) at 7c:c3:11:f1:aa:00 [ether] on eth0
[Host: ~]$ route -v

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.0.0 * 255.255.0.0 U 0 0 0 eth0

[Host: ~]$ ping 192.168.10.111

PING 192.168.10.111 (192.168.10.111) 56(84) bytes of data.
64 bytes from 192.168.10.111: icmp_seq=0 ttl=63 time=53.8 ms
64 bytes from 192.168.10.111: icmp_seq=1 ttl=63 time=65.8 ms

--- 192.168.10.111 ping statistics ---

2 packets transmitted, 2 received, 0% packet loss, time 1007ms
rtt min/avg/max/mdev = 53.832/59.842/65.852/6.010 ms, pipe 2

Configuring Local ARP Proxy

image

Fig. 4.3 Local ARP Proxy

As the above topology, eth-0-2, eth-0-3 and eth-0-4 are belonging to VLAN 10. eth-0-3 and eth-0-4 are both in port isolate group 1, and eth-0-2 is in port isolate group 3, so packets received in eth-0-3 can not flood to eth-0-4, but packets received in eth-0-2 can flood to both eth-0-3 and eth-0-4. PC1 is connecting with port eth-0-3 and PC2 is connecting with port eth-0-4.Configure as the following step for communicating with PC1 and PC2.

The configurations of switch A and switch B are same if there is no special description.

step 1 Enter the configure mode

Switch# configure terminal

step 2 Enter the vlan configure mode and create vlan

Switch(config)# vlan database
Switch(config-vlan)# vlan 10
Switch(config-vlan)# exit

step 3 Enter the interface configure mode, set the switch port mode and bind to the vlan

Switch A configuration:

Switch(config)# interface eth-0-1
Switch(config-if)# switchport access vlan 10
Switch(config-if)# no shutdown
Switch(config-if)# exit

Switch B configuration:

Switch(config)# interface range eth-0-2 - 4
Switch(config-if-range)# switchport access vlan 10
Switch(config-if-range)# no shutdown
Switch(config-if-range)# exit

step 4 Create the vlan interface, configure the ip address, and enable local arp proxy

Switch A configuration:

Switch(config)# interface vlan 10
Switch(config-if)# ip address 192.168.10.1/24
Switch(config-if)# local-proxy-arp enable
Switch(config-if)# exit

step 5 Configuring port isolation(optional)

Switch B configuration:

After configuring port isolation as blow, eth-0-3 and eth-0-4 on swichB are isolated in layer 2 network.

Switch(config)# port-isolate mode l2
Switch(config)# interface eth-0-3 - 4
Switch(config-if-range)# port-isolate group 1
Switch(config-if-range)# exit
Switch(config)# interface eth-0-2
Switch(config-if)# port-isolate group 3
Switch(config-if)# exit

step 6 Validation

Use the following command to display the information of the arp entry on switchA:

Switch# show ip arp
Protocol Address Age (min) Hardware Addr Interface
Internet 192.168.10.1 - eeb4.2a8d.6c00 vlan10
Internet 192.168.10.111 0 34b0.b279.5f67 vlan10
Internet 192.168.10.222 0 2a65.9618.57fa vlan10

Use the following command to display the information of the arp configurations on the interface of switchA:

Switch# show ip interface vlan 10
Interface vlan10
Interface current state: UP
Internet address(es):
192.168.10.1/24 broadcast 192.168.10.255
Joined group address(es):
224.0.0.1
The maximum transmit unit is 1500 bytes
ICMP error messages limited to one every 1000 milliseconds
ICMP redirects are never sent
ICMP unreachables are always sent
ICMP mask replies are always sent
ARP timeout 01:00:00, ARP retry interval 1s
ARP Proxy is disabled, Local ARP Proxy is enabled
VRRP master of : VRRP is not configured on this interface

Use the following command to display the information on PC1:

[Host: ~]$ ifconfig eth0
eth0 Link encap:Ethernet HWaddr 34:B0:B2:79:5F:67
inet addr:192.168.10.111 Bcast:192.168.10.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1600 Metric:1
RX packets:22 errors:0 dropped:0 overruns:0 frame:0
TX packets:28 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1344 (1.3 KiB) TX bytes:2240 (2.1 KiB)
Interrupt:5

[Host: ~]$ arp -a
 ? (192.168.10.222) at ee:b4:2a:8d:6c:00 [ether] on eth0
[Host: ~]$ ping 192.168.10.222

PING 192.168.10.222 (192.168.10.222) 56(84) bytes of data.
64 bytes from 192.168.10.222: icmp_seq=0 ttl=63 time=131 ms
64 bytes from 192.168.10.222: icmp_seq=1 ttl=63 time=159 ms

--- 192.168.10.222 ping statistics ---

2 packets transmitted, 2 received, 0% packet loss, time 1003ms
rtt min/avg/max/mdev = 131.078/145.266/159.454/14.188 ms, pipe 2

Use the following command to display the information on PC2:

[Host:~]$ ifconfig eth0

eth0 Link encap:Ethernet HWaddr 2A:65:96:18:57:FA
inet addr:192.168.10.222 Bcast:192.168.10.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1600 Metric:1
RX packets:19 errors:0 dropped:0 overruns:0 frame:0
TX packets:20 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1148 (1.1 KiB) TX bytes:1524 (1.4 KiB)
Interrupt:5

[Host:~]$ arp -a
 ? (192.168.10.111) at ee:b4:2a:8d:6c:00 [ether] on eth0
[Host: ~]$ ping 192.168.10.111

PING 192.168.10.111 (192.168.10.111) 56(84) bytes of data.
64 bytes from 192.168.10.111: icmp_seq=0 ttl=63 time=198 ms
64 bytes from 192.168.10.111: icmp_seq=1 ttl=63 time=140 ms
64 bytes from 192.168.10.111: icmp_seq=2 ttl=63 time=146 ms

--- 192.168.10.111 ping statistics ---

3 packets transmitted, 3 received, 0% packet loss, time 2008ms
rtt min/avg/max/mdev = 140.196/161.959/198.912/26.267 ms, pipe 2

Application cases

N/A